This notice describes how HDR Global Trading Limited and its affiliates (referred to as “HDR Group”, “we” or “us” in this notice) will collect, make use of and share (i.e. “process”) your personal data in connection with the BitMEX website, apps and services (including API services).

This notice also describes data protection rights you may have (depending on applicable law), such as a right to object to some of the processing which the HDR Group carries out. More information about your rights, and how to exercise them, is set out in the “Your rights” section.

your account and portfolio details, such as live and historical orders, trades and positions, and balances;

your site and account preferences, including site notification, sounds and confirmation dialogs and leaderboard preferences;

any personal data you submit for ID verification purposes, and your self-reported location plus the geolocation of the IP address you connect from;

your marketing and other communication preferences, and a record of any consents you have given us;

information related to the browser or device you use to access our website or apps, as well as data that tells us which features of the website/app are popular, or suffer from issues we need to fix;

the content and details (e.g. date) of messages you post in chatrooms (Trollbox), or that you send us (e.g. customer support queries); and

customer service notes and other records.

We will aim to mark data fields as optional or mandatory when collecting personal data from you via forms. Note, in particular, that to create an account, engage in transactions, and where necessary, prove your identity, the provision of personal data is typically mandatory: if relevant data is not provided, then we will not be able to do these things and provide the services you expect. You do not have to provide a name when creating an account, but this may limit our ability to verify your identity later, for instance if you have forgotten your password and are trying to recover your account.

We do not collect fingerprints, facial recognition data, or other biometrics. Where you enable biometric security (such as fingerprint or Face ID login), your biometrics will be handled by your device, not by us. We may receive photos of yourself and of your photo ID that you submit to our ID verification vendor, Jumio Netverify.

We receive personal data from partners when they refer you to us (for example, we receive data about the service you used, and that referred you). We will receive confirmation from Yubico Cloud that you have successfully authenticated using a Yubikey registered with that service. Third parties may monitor the Web on our behalf, for example looking for stolen usernames and passwords. Our communications service provider may also enable us to learn more about your social media presence, in order for us to send you more personalised communications. We receive records of trades and transactions from other exchanges and trading platforms to help us monitor exchange rates and market performance. Finally, some authorities or other persons seeking access to information about users may provide information about the circumstances of their request, and about the individuals of interest.

To fulfil (or take steps linked to) a service agreement with you. This includes:

creating your account;

if necessary, verifying your identity;

taking deposits and fees, and paying out withdrawals;

allowing you to make trades, maintaining your account and trading history, and closing / auto-deleveraging / liquidating positions in accordance with our published policies and terms of service;

communicating with you; and

providing customer services;

As required by the HDR Group or third parties to conduct their business and pursue their other legitimate interests, in particular:

to provide services you have requested;

to monitor, improve and protect the services on our website and apps, in particular by looking at how they are used, testing alternatives (e.g. by “A/B testing”, and running “beta” version trials), and by learning from feedback and comments you provide;

to personalise our website, apps and services;

by publishing de-identified records of market data, including trading records, on https://public.bitmex.com, for third party monitoring and research purposes;

to monitor customer accounts to prevent, investigate and/or report misconduct such as spam, misrepresentation, security incidents or crime (such as fraud), in accordance with applicable law, and to cooperate with authorities seeking to do the same;

to investigate any complaints received from you or from others;

in connection with legal claims, compliance, regulatory or investigative purposes (including disclosure in connection with legal process or litigation); and

to invite individuals to take part in market research and beta tests.

Where you give us consent (so far as that consent is required):

we will send you direct marketing in relation to our relevant products and services, or other products and services provided by us and carefully selected partners;

we place cookies, monitor email engagement, and use other similar technologies in accordance with our Cookies Notice and the information provided to you when those technologies are used;

on other occasions where we ask you for consent, we will use the data for the purpose which we explain at that time.

For purposes which are required by law, in particular:

in response to requests by relevant courts and public authorities, such as those conducting an investigation.

As the service documentation on our site and our terms of service explain, our trading platform applies certain automatic processes based on your trading positions and the resources on your account.

For example, most BitMEX instruments are highly leveraged. To keep positions in these instruments open, traders are required to hold a percentage of the value of the position on the exchange, known as the Maintenance Margin percentage. If you cannot fulfil your maintenance requirement, and liquidation is therefore triggered, we will cancel open orders on the current instrument, you will be partially or fully liquidated, and your maintenance margin can be lost. For more on that process, see here and the FAQ here.

Other significant automated decision-making that uses your personal data may also be employed, to protect accounts and to uphold our terms of service. In particular, if you attempt to log-in from a jurisdiction to which our services are restricted, your account may be automatically locked, and you will be invited to contact customer support to unlock it; as part of this, you may be asked to provide proof of ID and/or location outside a restricted jurisdiction. During an account lockout, you will be unable to view your positions, make any trades, or open/close any orders.

API usage and behaviour is monitored in order to protect our systems and to uphold our terms of service. Automated decision-making may be employed to manage your account’s API access or rate limit permits based on your API usage and trading behaviour (this may include limiting or preventing access and activity on your account).

Wherever we rely on your consent, you will always be able to withdraw that consent, although we may have other legal grounds for processing your data for other purposes, such as those set out above. In some cases, we are able to send or display marketing without your consent. You have an absolute right to opt-out of direct marketing, or profiling we carry out for direct marketing, at any time. You can do this by following the instructions in the communication where this is an electronic message, changing your account settings, or by contacting us using the details set out below.

We will share your personal data between HDR Group companies so they can help deliver and improve our services, run our business, and comply with our legal obligations and related third party requests.

Personal data may be shared with affiliates who referred you to our site (so they can track successful referrals), and partners for promotions or co-branded service integrations. Information on historical trades may also be shared with other trading platforms and exchanges. Personal data may be shared with courts or public authorities if required as described above, mandated by law, or required for the legal protection of our or third party legitimate interests, in compliance with applicable laws and authorities’ requests.

Personal data will also be accessed by employees or contractors, or shared with third party service providers, who will process it on our behalf for the purposes identified above. In particular, we use third party website and database hosting (primarily Amazon Web Services); web and app analytics (including Segment.com, Sentry.io and Google Analytics); ID verification (primarily Jumio NetVerify); and customer services and support (primarily Freshdesk, and providers of local-language customer support assistants).

In the event that the business is sold or integrated with another business, your details will be disclosed to our advisers and any prospective purchaser’s advisers, and to the new owners of the business.

Where personal data is transferred out of the UK or EEA countries to a country (such as those where we have operations or remote staff) or an international organisation, and such destination is not subject to what is called an “adequacy decision” issued by the European Commission or other relevant authority (and that such destination therefore cannot be expected to offer essentially equivalent protections for personal data), that personal data will instead be protected by our use of officially-approved standard contractual clauses or a vendor’s Processor “Binding Corporate Rules”, except in very limited, legally-permitted circumstances (for instance, lawful one-off transfers to organisations that do not offer those safeguards). More details are available on request, using the contact details set out below.

Depending on applicable law (in particular, whether the laws of the UK or EEA countries apply), you may have the right to ask us for a copy of personal data about you; to correct or delete that personal data; restrict the processing of that personal data; and to obtain a copy of personal data about you that you provided to us (in connection with our agreement with you, or with your consent), in a structured, machine readable format, and to ask us to port this data to (i.e. share that data with) another organisation.

In addition, applicable law may provide the right to object to the processing of personal data about you, in some circumstances (in particular, where we don’t have to process the data to meet a contractual or other legal requirement, or where we are using the data for direct marketing).

You have the right to appeal the result of significant fully automated decisions. This should be done by emailing us within 3 working days from the date of the decision, which we will then review.

If these rights apply, they may however be limited, for example if fulfilling your request would reveal personal data about another person, would infringe the rights of another person or legal entity (including our rights), or if you ask us to delete or change data which we are required by law to keep (or have other compelling legitimate interests in keeping). We will inform you of relevant exemptions we rely upon when responding to any request you make.

To exercise any of these rights, or to obtain other information, such as a copy of a legitimate interests balancing test, you can get in touch using the details set out below. If you have unresolved concerns, you typically have the right to complain to regulators, depending on applicable law. For example, in the EEA, your complaint can likely be taken to data protection authorities where you live, work or where you believe a breach may have occurred.

Where we process personal data in connection with performing an agreement with you, we keep the data for 6 years from your last interaction with us.

Where we process personal data for marketing purposes or with your consent, we process the data until you ask us to stop and for a short period after this (to allow us to implement your requests). We also keep a record of that request indefinitely, so that we can continue to respect your request in future.

Where we process personal data for site security purposes, we retain it for 3 years.

Longer retention periods may apply, such as where ongoing access to records continues to be important to our defence of legal claims or where we are required by law to retain information for specific periods.

We use cookies (and local storage objects, but we refer to these collectively as “cookies” below), web beacons/tags, and other related approaches to collect information about your use of our website. Cookies are small pieces of information sent by a web server to a web browser, to allow certain functionality or analytics.
In particular, we use the following:

Strictly Necessary Cookies

These cookies are essential in order to enable you to move around the website and use its features.

Without these cookies, things you have asked for such as remembering your login details or trade orders cannot be provided.

We also use these cookies to balance traffic over multiple servers, so we can keep it responsive and capable of dealing with high traffic from all users.

Performance Cookies

These cookies collect information on how people use our website. For example, we use these to help us understand how customers arrive at our site, browse or use our site and highlight areas where we can improve areas such as navigation, trading, customer support and marketing.

Functionality Cookies

These cookies remember choices you make such as the country you visit from, and language and search parameters. These can then be used to provide you with an experience more appropriate to your selections.

Targeting cookies or advertising cookies

These cookies collect information about your browsing habits in order to make advertising more relevant to you and your interests. They are also used to limit the number of times you see an advert as well as help measure the effectiveness of an advertising campaign. These cookies are usually placed by third party advertising networks. They remember the websites you visit, and that information is shared with other parties such as advertisers.

Social Media Cookies

These cookies allow you to share what you’ve been doing on the website on social media such as Facebook and Twitter. Please refer to their respective privacy notices to learn how their cookies work and can be controlled.

Web beacons, tags

Some of our web pages, emails or parts of our apps may contain electronic images, or computer code, that allow us to learn more about how our website and apps are used (just like performance cookies, mentioned above). These “web beacons” and “tags” collect only limited information. In our app, we currently use pieces of code provided by Segment.com and Sentry.io, which also help analyse the data. We may also carry web beacons placed by third party advertisers.

Controlling these technologies

If you want to delete any cookies, please check your browser or device settings (and help pages) for instructions on how to delete them. Your browser or device may also offer tracking controls for things other than cookies, such as beacons and tags.

Please note that by deleting our cookies or disabling future cookies, in particular the “strictly necessary” cookies described above, you may not be able to access certain areas or features of our site.

Although our website and apps only look to include quality, safe and relevant external links, users should always adopt a policy of caution before clicking any links to non-HDR Group websites or apps. We cannot control, guarantee or verify their contents. They will have their own policies and practices, for example with regard to privacy and personal data, and you should acquaint yourselves with those before further engaging with those third party websites or apps.

We may revise this Privacy Notice from time to time. If we make a change to this notice that we consider material, we will take steps to notify users by a notice on the website and/or app. Your continued use of the BitMEX website, apps and services (including API services) will be subject to the updated Privacy Notice.

If you have any questions or concerns about how we process your data, would like to exercise any rights (e.g. to opt out of direct marketing), you can get in touch with our contact point for privacy queries at privacy@bitmex.com.

Trollbox

BitMEX is a P2P crypto-products trading platform.

BitMEX and the mobile apps issued under BMEX are wholly owned and operated by HDR Global Trading Limited, a Republic of Seychelles incorporated entity or its relevant authorised affiliates.